Facebook Messages Security in Focus

Facebook's recent announcement could expand the security threat landscape for the site, some say. The social network shared with eWEEK how it is dealing with that.

When Facebook announced its plans Nov. 15 for its Messages feature,
it opened the door to new questions about spam and security.
Once it is fully rolled out,
the new Messages interface will weave together not only Facebook
messages, but also chats, SMS (texts) and e-mails in a central
location.

"You decide how you want to talk to your friends: via SMS, chat, e-mail or Messages," blogged Facebook engineer Joel Seligstein.
"They will receive your message through whatever medium or device is
convenient for them, and you can both have a conversation in real time.
You shouldn't have to remember who prefers IM over e-mail or worry
about which technology to use. Simply choose their name and type a
message."

According to Facebook, this has all been engineered with security in mind. Part of that means extending existing privacy controls -
users can control who can send them messages from the "Basic Directory
Information" section of their "Privacy Settings" page. From there,
users can select "View settings" and change the setting for "Send me
messages."
"Only e-mails from people that fall within the message privacy
setting you choose will be delivered to your Facebook message inbox," a
Facebook spokesperson said. "For example, if you selected the 'Friends
Only' setting, then messages from e-mail addresses that we can't
determine belong to one of your friends will not get delivered to you.
Instead, those senders will receive automatic bounce-back replies."
"When someone sends you a message on Facebook through SMS (or e-mail
or chat), it works the same as any other message," the spokesperson
continued. "Whatever privacy settings you have in place for who can
send you messages will be respected no matter what mechanism they use
to send you the message. You can block individual people if you do not
want them to message you."
Still, the problem of spam could be a real one, noted Graham Cluley,
senior technology consultant at Sophos. The e-mail address Facebook is
providing users - which ends in @facebook.com - is trivial to work
out because it will be based on people's public usernames, he said.
"It seems to me that the opportunities for bad guys to exploit
Facebook users (are) going to increase, and that the damage that can be
done will be greater," he said. "Imagine for instance, just how much data could
be scooped up by accessing someone's Social Inbox, and being able to
read all of the communications that ever occurred between two people -
or how a compromised Facebook account could now be used to send
messages external to the Facebook system."
The Social Inbox is where messages from a user's friends - and their
friends' friends - will go by default. There is also an "Other" folder
where additional messages will be stored.
"If someone you know isn't on Facebook, that person's e-mail will
initially go into the Other folder," Seligstein blogged. "You can
easily move that conversation into the Inbox, and all the future
conversations with that friend will show up there. You can also change
your account settings to be even more limited and bounce any e-mails
that aren't exclusively from friends. This kind of message control is
pretty unprecedented...Messages reverses the approach to preventing
unwanted contact. Instead of having to worry about your e-mail address
getting out, you're now in control of who can actually reach you."
Facebook did not say specifically how it would deal with the
prospect of files being sent via e-mail, such as PDF documents.
However, the company stated that it will take advantage of its existing
spam-fighting technology and has contracted with an unnamed third party
to supplement its security protections for the new Messages features.
"All Facebook users will need to be on their guard against having
their accounts broken into, and maintain a solid (defense) against
phishing, malware, spam and rogue applications," Cluley said. "Facebook
itself will also be tested to see how well it can block malware attacks
and spam campaigns in a timely fashion."